I recently infected my computer with Aurora to see if I could remove it as kind of a challenge. I did it and I'd just like to help out those perplexed souls looking for answers.
To some this is a step-by-step guide to removing Aurora. To others it is a reference for removing any malware. And to others still, this is just a document that contains useful information. The sections are titled, to make it easier to find information on specific tasks.
I haven't come across any real instructions for removing Aurora in any forum post or website yet, except of course for the myPCtuneup.com uninstaller. That uninstaller will be sufficient for some, who don't mind swallowing their pride and clicking "I Agree" to a statement saying they wanted Aurora on their computers to begin with. I am not one of those people, and if you consider yourself an advanced ("power") user, you probably aren't either. I'm also sure the various malware removers will catch up to Aurora eventually. This obviously is for those who would rather not wait.
These instructions should ONLY be carried out if you have advanced knowledge of computers and Windows XP, are familiar and comfortable with modifying and deleting registry entries, system files, and services (processes). DO NOT TAKE THIS STATEMENT LIGHTLY. These instructions really are intended solely for very advanced users.
Many people with advanced knowledge will be able to remove Aurora without my help - if so, kudos. But this information may make things easier, even for you. This was written with Aurora in mind but should also work for most other malware.
After my labored manual removal of Aurora was successful I came across an article by Lawrence Abrams of BleepingComputer.com that contains information that would have made my job easier. The information contained here is a combination of my experience with Aurora and information from that article.
It is a good idea to take precautions before attempting a 'low-level' operation like this. If you don't know what you're doing you can easily screw something up. Sometimes it even happens to those who DO know what they're doing. Before you begin, make a registry backup, save a system restore point, back up important files or back up your whole damn system. It's not my fault if you damage your system permanently or temporarily as a result of following these steps, bla bla bla.
Note that in the instructions below for navigating and modifying the Registry, I don't use the technically-correct key/value/data terms to describe Registry tree elements. I use terms like "entry", "folder" and "subfolder". I simply find it easier that way. If you disagree, then we are in disagreement.
-----
Preparation
Notes:
First, get yourself a pen and paper to write stuff down. If you want to just use notepad (the program) or something that's fine, but you'll be working in safe mode with limited resolution and therefore not a lot of screen space. Also who knows how the malware will affect your note-taking program? Paper might be easier in this case (but ONLY in this case. Afterwards, burn all your leftover paper.)
This whole mess involves finding things, files and/or settings, that are probably malware and removing them. I am pretty much just telling you where to look. I'll tell you the most commonly known places that malware tend to hide, as well as some not-so-common. What I don't tell you with completeness is what to look for. So, if you find yourself lost and unsure about what's suspicious and what's not, do this whole thing twice; seriously: once to find suspicious things and write them down, and again to remove them. In-between, boot up normally and do your research online to find out what's what.
What To Look For:
Here's a short list of files that are known to be malware. This is by no means a complete list, but it does contain most of the KNOWN filenames used by Ceres/Aurora. Obviously the on-the-fly random-generated names won't be in this list (and there will be some). If in the course of these steps you see registry entries pointing to any of these, obviously remove the entries, and the files themselves. If you see processes running with any of these names, kill them.
- Buddy.exe, ceres.dll, svcproc.exe, poller.exe, uacupg.exe, thnall1ac.html (this HTML file does not contain HTML code, but gets called & run as an EXE, by a DLL. Confused?), DrPMon.dll, bolger.dll, nail.exe (reported in windows folder), nail[1].exe (reported in 'Documents & Settings\[login name]\Local Settings\Temporary Internet Files'). -
Get Some Programs:
Get yourself Killbox and HijackThis. They're both freeware that are easily attainable online. I won't provide a link - if you can't find them yourself then you shouldn't be attempting this procedure anyway. Also, the evaluation copy of Spyware Doctor is a plus, because it can clean up the arms, legs, and little bits of brain left over from the malware you killed. That and it's one of the best malware removal utilities I've come across. Perform a definition update on Spyware Doctor, if you have it, before continuing. Some users may also want to get Eraser (by Tolvanen, also free), which allows you to 'shred' files from the context menu, rather than send them to the recycle bin. This is the best way to permanently kill and dismember files that you are absolutely certain touched your computer in an inapropriate way. Of course, use extreme caution with this, since anything you erase with it can't be resurrected. Make shortcuts to Killbox and HijackThis (and Spyware Doctor) easily accessible somewhere, like the desktop or start menu.
Kill Current Malicious Processes:
Reboot into safe mode. Safe mode itself eliminates all but the most essential processes from running while you're ethnically cleansing your computer. You'll be performing most of these steps while in safe mode.
Perform a HijackThis scan. HijackThis attempts to catch malware in the act by comparing current settings and files with what they should be by default. It does not catch everything, and conversely, also catches things that really have every right to be there. It is still very useful and should be run often. So again, run a HijackThis scan as your first step. Saving a log file of this might be helpful (with a distinctive filename). You can fix whatever it finds that you think is malicious. Keep track of everything you remove, because that's just good practice for many obvious reasons. I will not be listing those reasons. Because they are obvious.
Run Killbox. Killbox is a tool for removing files that are inaccessible, either by killing the shell process (explorer) before deleting, or by setting files to be deleted on reboot. For now we will use an added feature of KillBox, which kills running processes that stubbornly refuse to stop. Even in safe mode, some malware processes may be running. Kill anything suspicious (use your judgement, you advanced user, you), and make sure "End Explorer Shell While Killing File" is enabled beforehand. To be honest I'm still not quite sure if this toggle applies to process kills or only to file kills, but it can't hurt, right?
I won't go through which processes should be there and which shouldn't be, but here's a tip: Multiple 'svchost's are OKAY, and NOT TO BE TOUCHED. If you kill the wrong one you may trigger an irreversible reboot, which might force you to start over. It is possible that one or more 'svchost's COULD BE malware, but they should be removed using the registry methods detailed below. "Live today, fight tomorrow." By the way if anyone knows of a method of finding out which instance of 'svchost' pertains to which actual process, and how to kill a specific one, please let me know. Make a record of the suspicious processes as you kill them - each process is also a file on your hard drive, and you may need to delete the file and remove its registry entries soon (or now, if you so desire).
At this point make sure no malware processes are running. You're about to start making setting changes and removing files, and you don't want any running malware processes to undo your changes as soon as you make them (or shortly thereafter), like replicating the files you delete. If there are still any suspicious processes running, go back and try to get rid of them. If you become unsure of which processes should be removed, make a list of the suspects' filenames, and either reboot or go to another computer and look them up on Google. Valid processes will come up in searches, some malware processes will come up, and if there are no pertinent results at all then it is probably malware replicating itself as a random filename. Again, Killbox all the malware processes you find.
The Hunt is On.
Startup:
Check your 'Startup' folder ('Start Button -> Programs -> Startup'). Get rid of anything bad. Pat yourself on the back.
Registry (main run):
Run 'regedit'. Open up HKEY_LOCAL_MACHINE ('HKLM' henceforth). Navigate to 'HKLM/Software/Microsoft/Windows/CurrentVersion/Run'. These are straight-up files that get run when your system starts. Get rid of anything suspicious. If you're unsure of something, it's safer to do this using 'msconfig' -> 'Startup' tab, uncheck the suspects, click OK and of course, don't reboot yet, you moron. In general, nothing absolutely critical is kept in this registry location; it's really just a glorified and less-obvious version of the Startup folder.
Registry (shell execute):
Next go to 'HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon'. Aurora has a signature move, where it adds a parameter to the command in your 'Shell' entry here. The 'Shell' entry should contain nothing more than 'Explorer.exe' (on the vast, vast, vast majority of systems). If a path and filename follow 'Explorer.exe', edit the entry and remove the path and filename, but do make note the file name and location, cause you'll want to get rid of it later (or now, if you want).
Registry (Internet Explorer):
The next registry location is 'HKLM/Software/Microsoft/Internet Explorer'. Another signature Aurora move is to add one or more "Explorer Bars" to Internet Explorer. In actuality any executable or DLL can be entered here as an Explorer Bar, even if it doesn't end up showing anything in IE. Aurora takes advantage of this. Check 'Explorer Bars', 'Extentions', and 'Toolbars' for anything suspicious. It doesn't hurt to check the other sub-folders here, too.
In 'Explorer Bars', you'll find folders with CLSID's for names, like '{32683183-48a0-441b-a342-7c2a440a9478}'. Each one is supposedly a different Explorer Bar, and for comparison purposes, on my computer there are four valid folders. Check inside each of these CLSID folders for string entries. You're looking for complete path/filenames or variable/path/filenames. There should be none, but if there are, examine it/them, and modify/delete as you see fit. Aurora acts differently and randomely on different machines, but on mine there was one extra Explorer Bar. Click here for a comprehensive list of known CLSID's. You will be mostly concerned with the BHO's (Browser Helper Objects): http://castlecops.com/CLSID.html. Delete the entire CLSID-named folder that contains the malicious entry.
Registry (SvcHost System Services):
If it isn't already started, start 'services.msc'. You might be familiar with this process list, and you might already have an idea of what you'd like to remove. You also may have disabled one or more services already, successfuly or unsuccessfuly stopping it from auto-starting at bootup. In any case, here's how to cut the genitals off of a service so it's not even in the list anymore. Keep the genitals in a jar on your dresser afterwards. Pack in formaldahyde to maintain freshness.
Go to 'HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost'. Svchost processes load as groups, and each entry in this folder is another of these groups (ignore the subfolders, only look at the items actually residing in the 'svchost' folder). Any of these items can be launched through 'svchost' using a command like 'svchost -k rpcss'. Because they get launched indirectly, the resulting processes take the name of their actual launcher, 'scvhost', which is why you often see multiple processes running with that name. Check through here for anything unkosher and remove service names from groups or remove entire groups. You may want to start 'services.msc' so you can look up individual service descriptions to help you decide what should and shouldn't be there.
Registry (Other System Services):
Go to HKLM/SYSTEM. You'll notice one or more 'ControlSet###' folders, i.e. 'ControlSet001'. Each ControlSet is a preset list of things that happen on startup. The type of bootup determines which ControlSet is used. Head to 'HKLM/SYSTEM/Select'. You'll see entries for the different bootup types: Default, LastKnownGood, Failed, and Current. We're concerned with 'Default', so look at the data for that entry. It's HEX code - just ignore everything but the end, the number in parenthesis. That number tells you which ControlSet you need to work with, ie, if the number is 1, go to 'ControlSet001'. Once in the right ControlSet folder, go to the Services subfolder.
Compare your 'services.msc' list with the subfolders in this registry location ('Services'). Find the names of the services you want to get rid of but DON'T remove anything yet. For each service you want to remove, go to its 'Parameters' subfolder. Somewhere in there will be a DLL name and location. Make a note of it and go to that location in Windows Explorer, and get rid of the DLL. After you do that, you can go ahead and delete the subfolder pertaining to the malicious service. Note that there is much more here (in the registry Services list) than there is in the services.msc list - this is normal, as this is a list of other files and drivers as well.
Some variants also hide in 'HKLM/SYSTEM/ControlSet###/Enum/Root' (I haven't seen Aurora do this, but again it's possible). Entries here are named LEGACY_(some name). Root out the malicious processes and shock and/or awe them into submission.
Files:
Start -> Find -> Files & Folders. Leave the filename and 'containing text' fields blank. Enable the 'Date' option. Choose 'Files Created' (NOT modified), set the time period to sometime right before you think you got infected with Aurora. I usually use the 'in the last ___ days' option. Enable Advanced Options, then enable Subfolders, Hidden, and System files. Hit 'Search Now'. Change the view to 'Details' mode, add the 'Date Created' column, and sort by that column so that the most current files are at the top. Now you've hopefully got a neat list of what files were created since you got Aurora, and if any files are left after everything else you've done, this is the place to find them. Go through the list, be suspicious of the things you don't recognize or are oddly placed, and obviously, delete the mofo's.
Perform a separate search for each of the known Aurora variants (different filanemes) listed in one of the paragraphs way back there. I don't remember which, and it's too far up for me to look now. Just search for them, show no mercy, rape, pillage, kill, burn.
Aftermath
That should be it. Make sure it's really all gone, and then make sure again. Rebooting normally before it's all completely gone could cause it to all come back. Run a HijackThis scan, run Spyware Doctor, wait 10 minutes and then do them both again, to make sure nothing is still re-replicating. It's good to be paranoid about this.
When you're satisfied, reboot normally. Look up a prayer that your respective religion recommends for this kind of situation and murmer it repeatedly.
Choose your own adventure: After reboot, check for Aurora. Run a HijackThis scan and save a log. Run Spyware Doctor. If something bad is found by either one, go to choice 1 below. If nothing is found, skip top choice 2.
1. If something is found, remove it, reboot again normally, and repeat both scans. If something's still there then you may have a problem - go back into safe mode and try to figure it out.
2. If nothing's found, that's good, but don't celebrate just yet. Remember, Aurora likes to hide itself in Internet Explorer. If you missed a key registry entry, starting Internet Explorer could execute Aurora again, wedging itself into every nook faster than a Catholic priest in Boy Scouts. So, if you're confident about your cleanup work and would like to keep testing for Aurora's presence or lack thereof, start Internet Explorer. If you get a popup window entitled "Aurora", you of course have failed miserably. Aurora may not make its presence known right away though, so browse around, close and open IE multiple times. Run HijackThis scans and Spyware Doctor.
If continually nothing new seems to be wrong and you get no popups, then congratulations, you did something someone else told you to do without figuring any of it out for yourself. I'm kidding, you're really an outstanding individual.
I'm tired. Man this thing got long. Hope it helps someone. 'nite
To some this is a step-by-step guide to removing Aurora. To others it is a reference for removing any malware. And to others still, this is just a document that contains useful information. The sections are titled, to make it easier to find information on specific tasks.
I haven't come across any real instructions for removing Aurora in any forum post or website yet, except of course for the myPCtuneup.com uninstaller. That uninstaller will be sufficient for some, who don't mind swallowing their pride and clicking "I Agree" to a statement saying they wanted Aurora on their computers to begin with. I am not one of those people, and if you consider yourself an advanced ("power") user, you probably aren't either. I'm also sure the various malware removers will catch up to Aurora eventually. This obviously is for those who would rather not wait.
These instructions should ONLY be carried out if you have advanced knowledge of computers and Windows XP, are familiar and comfortable with modifying and deleting registry entries, system files, and services (processes). DO NOT TAKE THIS STATEMENT LIGHTLY. These instructions really are intended solely for very advanced users.
Many people with advanced knowledge will be able to remove Aurora without my help - if so, kudos. But this information may make things easier, even for you. This was written with Aurora in mind but should also work for most other malware.
After my labored manual removal of Aurora was successful I came across an article by Lawrence Abrams of BleepingComputer.com that contains information that would have made my job easier. The information contained here is a combination of my experience with Aurora and information from that article.
It is a good idea to take precautions before attempting a 'low-level' operation like this. If you don't know what you're doing you can easily screw something up. Sometimes it even happens to those who DO know what they're doing. Before you begin, make a registry backup, save a system restore point, back up important files or back up your whole damn system. It's not my fault if you damage your system permanently or temporarily as a result of following these steps, bla bla bla.
Note that in the instructions below for navigating and modifying the Registry, I don't use the technically-correct key/value/data terms to describe Registry tree elements. I use terms like "entry", "folder" and "subfolder". I simply find it easier that way. If you disagree, then we are in disagreement.
-----
Preparation
Notes:
First, get yourself a pen and paper to write stuff down. If you want to just use notepad (the program) or something that's fine, but you'll be working in safe mode with limited resolution and therefore not a lot of screen space. Also who knows how the malware will affect your note-taking program? Paper might be easier in this case (but ONLY in this case. Afterwards, burn all your leftover paper.)
This whole mess involves finding things, files and/or settings, that are probably malware and removing them. I am pretty much just telling you where to look. I'll tell you the most commonly known places that malware tend to hide, as well as some not-so-common. What I don't tell you with completeness is what to look for. So, if you find yourself lost and unsure about what's suspicious and what's not, do this whole thing twice; seriously: once to find suspicious things and write them down, and again to remove them. In-between, boot up normally and do your research online to find out what's what.
What To Look For:
Here's a short list of files that are known to be malware. This is by no means a complete list, but it does contain most of the KNOWN filenames used by Ceres/Aurora. Obviously the on-the-fly random-generated names won't be in this list (and there will be some). If in the course of these steps you see registry entries pointing to any of these, obviously remove the entries, and the files themselves. If you see processes running with any of these names, kill them.
- Buddy.exe, ceres.dll, svcproc.exe, poller.exe, uacupg.exe, thnall1ac.html (this HTML file does not contain HTML code, but gets called & run as an EXE, by a DLL. Confused?), DrPMon.dll, bolger.dll, nail.exe (reported in windows folder), nail[1].exe (reported in 'Documents & Settings\[login name]\Local Settings\Temporary Internet Files'). -
Get Some Programs:
Get yourself Killbox and HijackThis. They're both freeware that are easily attainable online. I won't provide a link - if you can't find them yourself then you shouldn't be attempting this procedure anyway. Also, the evaluation copy of Spyware Doctor is a plus, because it can clean up the arms, legs, and little bits of brain left over from the malware you killed. That and it's one of the best malware removal utilities I've come across. Perform a definition update on Spyware Doctor, if you have it, before continuing. Some users may also want to get Eraser (by Tolvanen, also free), which allows you to 'shred' files from the context menu, rather than send them to the recycle bin. This is the best way to permanently kill and dismember files that you are absolutely certain touched your computer in an inapropriate way. Of course, use extreme caution with this, since anything you erase with it can't be resurrected. Make shortcuts to Killbox and HijackThis (and Spyware Doctor) easily accessible somewhere, like the desktop or start menu.
Kill Current Malicious Processes:
Reboot into safe mode. Safe mode itself eliminates all but the most essential processes from running while you're ethnically cleansing your computer. You'll be performing most of these steps while in safe mode.
Perform a HijackThis scan. HijackThis attempts to catch malware in the act by comparing current settings and files with what they should be by default. It does not catch everything, and conversely, also catches things that really have every right to be there. It is still very useful and should be run often. So again, run a HijackThis scan as your first step. Saving a log file of this might be helpful (with a distinctive filename). You can fix whatever it finds that you think is malicious. Keep track of everything you remove, because that's just good practice for many obvious reasons. I will not be listing those reasons. Because they are obvious.
Run Killbox. Killbox is a tool for removing files that are inaccessible, either by killing the shell process (explorer) before deleting, or by setting files to be deleted on reboot. For now we will use an added feature of KillBox, which kills running processes that stubbornly refuse to stop. Even in safe mode, some malware processes may be running. Kill anything suspicious (use your judgement, you advanced user, you), and make sure "End Explorer Shell While Killing File" is enabled beforehand. To be honest I'm still not quite sure if this toggle applies to process kills or only to file kills, but it can't hurt, right?
I won't go through which processes should be there and which shouldn't be, but here's a tip: Multiple 'svchost's are OKAY, and NOT TO BE TOUCHED. If you kill the wrong one you may trigger an irreversible reboot, which might force you to start over. It is possible that one or more 'svchost's COULD BE malware, but they should be removed using the registry methods detailed below. "Live today, fight tomorrow." By the way if anyone knows of a method of finding out which instance of 'svchost' pertains to which actual process, and how to kill a specific one, please let me know. Make a record of the suspicious processes as you kill them - each process is also a file on your hard drive, and you may need to delete the file and remove its registry entries soon (or now, if you so desire).
At this point make sure no malware processes are running. You're about to start making setting changes and removing files, and you don't want any running malware processes to undo your changes as soon as you make them (or shortly thereafter), like replicating the files you delete. If there are still any suspicious processes running, go back and try to get rid of them. If you become unsure of which processes should be removed, make a list of the suspects' filenames, and either reboot or go to another computer and look them up on Google. Valid processes will come up in searches, some malware processes will come up, and if there are no pertinent results at all then it is probably malware replicating itself as a random filename. Again, Killbox all the malware processes you find.
The Hunt is On.
Startup:
Check your 'Startup' folder ('Start Button -> Programs -> Startup'). Get rid of anything bad. Pat yourself on the back.
Registry (main run):
Run 'regedit'. Open up HKEY_LOCAL_MACHINE ('HKLM' henceforth). Navigate to 'HKLM/Software/Microsoft/Windows/CurrentVersion/Run'. These are straight-up files that get run when your system starts. Get rid of anything suspicious. If you're unsure of something, it's safer to do this using 'msconfig' -> 'Startup' tab, uncheck the suspects, click OK and of course, don't reboot yet, you moron. In general, nothing absolutely critical is kept in this registry location; it's really just a glorified and less-obvious version of the Startup folder.
Registry (shell execute):
Next go to 'HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon'. Aurora has a signature move, where it adds a parameter to the command in your 'Shell' entry here. The 'Shell' entry should contain nothing more than 'Explorer.exe' (on the vast, vast, vast majority of systems). If a path and filename follow 'Explorer.exe', edit the entry and remove the path and filename, but do make note the file name and location, cause you'll want to get rid of it later (or now, if you want).
Registry (Internet Explorer):
The next registry location is 'HKLM/Software/Microsoft/Internet Explorer'. Another signature Aurora move is to add one or more "Explorer Bars" to Internet Explorer. In actuality any executable or DLL can be entered here as an Explorer Bar, even if it doesn't end up showing anything in IE. Aurora takes advantage of this. Check 'Explorer Bars', 'Extentions', and 'Toolbars' for anything suspicious. It doesn't hurt to check the other sub-folders here, too.
In 'Explorer Bars', you'll find folders with CLSID's for names, like '{32683183-48a0-441b-a342-7c2a440a9478}'. Each one is supposedly a different Explorer Bar, and for comparison purposes, on my computer there are four valid folders. Check inside each of these CLSID folders for string entries. You're looking for complete path/filenames or variable/path/filenames. There should be none, but if there are, examine it/them, and modify/delete as you see fit. Aurora acts differently and randomely on different machines, but on mine there was one extra Explorer Bar. Click here for a comprehensive list of known CLSID's. You will be mostly concerned with the BHO's (Browser Helper Objects): http://castlecops.com/CLSID.html. Delete the entire CLSID-named folder that contains the malicious entry.
Registry (SvcHost System Services):
If it isn't already started, start 'services.msc'. You might be familiar with this process list, and you might already have an idea of what you'd like to remove. You also may have disabled one or more services already, successfuly or unsuccessfuly stopping it from auto-starting at bootup. In any case, here's how to cut the genitals off of a service so it's not even in the list anymore. Keep the genitals in a jar on your dresser afterwards. Pack in formaldahyde to maintain freshness.
Go to 'HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost'. Svchost processes load as groups, and each entry in this folder is another of these groups (ignore the subfolders, only look at the items actually residing in the 'svchost' folder). Any of these items can be launched through 'svchost' using a command like 'svchost -k rpcss'. Because they get launched indirectly, the resulting processes take the name of their actual launcher, 'scvhost', which is why you often see multiple processes running with that name. Check through here for anything unkosher and remove service names from groups or remove entire groups. You may want to start 'services.msc' so you can look up individual service descriptions to help you decide what should and shouldn't be there.
Registry (Other System Services):
Go to HKLM/SYSTEM. You'll notice one or more 'ControlSet###' folders, i.e. 'ControlSet001'. Each ControlSet is a preset list of things that happen on startup. The type of bootup determines which ControlSet is used. Head to 'HKLM/SYSTEM/Select'. You'll see entries for the different bootup types: Default, LastKnownGood, Failed, and Current. We're concerned with 'Default', so look at the data for that entry. It's HEX code - just ignore everything but the end, the number in parenthesis. That number tells you which ControlSet you need to work with, ie, if the number is 1, go to 'ControlSet001'. Once in the right ControlSet folder, go to the Services subfolder.
Compare your 'services.msc' list with the subfolders in this registry location ('Services'). Find the names of the services you want to get rid of but DON'T remove anything yet. For each service you want to remove, go to its 'Parameters' subfolder. Somewhere in there will be a DLL name and location. Make a note of it and go to that location in Windows Explorer, and get rid of the DLL. After you do that, you can go ahead and delete the subfolder pertaining to the malicious service. Note that there is much more here (in the registry Services list) than there is in the services.msc list - this is normal, as this is a list of other files and drivers as well.
Some variants also hide in 'HKLM/SYSTEM/ControlSet###/Enum/Root' (I haven't seen Aurora do this, but again it's possible). Entries here are named LEGACY_(some name). Root out the malicious processes and shock and/or awe them into submission.
Files:
Start -> Find -> Files & Folders. Leave the filename and 'containing text' fields blank. Enable the 'Date' option. Choose 'Files Created' (NOT modified), set the time period to sometime right before you think you got infected with Aurora. I usually use the 'in the last ___ days' option. Enable Advanced Options, then enable Subfolders, Hidden, and System files. Hit 'Search Now'. Change the view to 'Details' mode, add the 'Date Created' column, and sort by that column so that the most current files are at the top. Now you've hopefully got a neat list of what files were created since you got Aurora, and if any files are left after everything else you've done, this is the place to find them. Go through the list, be suspicious of the things you don't recognize or are oddly placed, and obviously, delete the mofo's.
Perform a separate search for each of the known Aurora variants (different filanemes) listed in one of the paragraphs way back there. I don't remember which, and it's too far up for me to look now. Just search for them, show no mercy, rape, pillage, kill, burn.
Aftermath
That should be it. Make sure it's really all gone, and then make sure again. Rebooting normally before it's all completely gone could cause it to all come back. Run a HijackThis scan, run Spyware Doctor, wait 10 minutes and then do them both again, to make sure nothing is still re-replicating. It's good to be paranoid about this.
When you're satisfied, reboot normally. Look up a prayer that your respective religion recommends for this kind of situation and murmer it repeatedly.
Choose your own adventure: After reboot, check for Aurora. Run a HijackThis scan and save a log. Run Spyware Doctor. If something bad is found by either one, go to choice 1 below. If nothing is found, skip top choice 2.
1. If something is found, remove it, reboot again normally, and repeat both scans. If something's still there then you may have a problem - go back into safe mode and try to figure it out.
2. If nothing's found, that's good, but don't celebrate just yet. Remember, Aurora likes to hide itself in Internet Explorer. If you missed a key registry entry, starting Internet Explorer could execute Aurora again, wedging itself into every nook faster than a Catholic priest in Boy Scouts. So, if you're confident about your cleanup work and would like to keep testing for Aurora's presence or lack thereof, start Internet Explorer. If you get a popup window entitled "Aurora", you of course have failed miserably. Aurora may not make its presence known right away though, so browse around, close and open IE multiple times. Run HijackThis scans and Spyware Doctor.
If continually nothing new seems to be wrong and you get no popups, then congratulations, you did something someone else told you to do without figuring any of it out for yourself. I'm kidding, you're really an outstanding individual.
I'm tired. Man this thing got long. Hope it helps someone. 'nite
